A healthcare group running several clinics came to us with a worry that did not fit the usual security pitch. They were not imagining a dramatic external attack. They were uneasy that, internally, almost anyone with a login could see almost any patient’s full record, and that if a record had been viewed inappropriately, nobody could prove who had looked or when. In a clinical setting, that is the kind of exposure that quietly erodes trust long before it becomes an incident.
Patient records are about as sensitive as data gets, and the people handling them are clinicians and front-desk staff, not security specialists. So the work had to make the safe path the easy path, or it would simply be worked around.
The challenges we had to solve
- Access was effectively all-or-nothing. Roles existed on paper but the system did not enforce them, so least privilege was an aspiration, not a control.
- There was no usable audit trail. Some logging existed, but it could not answer the one question that mattered: who accessed this patient’s record, and why.
- Reports and exports pulled far more personal and clinical detail than the task in front of the user actually required.
- Any control we added had to survive a busy clinic. Friction in the wrong place gets bypassed, and a bypassed control protects nobody.
How we approached it
We started by mapping who genuinely needed to see what, role by role, against the actual work each person does. That let us move from all-or-nothing access to access shaped by the task: a receptionist sees what scheduling needs, a clinician sees their patients in full, and reaching beyond your remit is possible but recorded and visible. We rebuilt the audit trail so that record access is logged in a form someone can actually review, and trimmed the reports and exports back to the fields each one needs, so minimisation became a property of the system rather than a memo.
Throughout, we kept the controls proportionate. A group of clinics does not need a bank’s security programme, and pretending otherwise would have bought friction without buying safety. We mapped the work to the data-protection obligations the group actually has to meet, documented the controls as they really operate, and left the team with something they can run themselves. The accountability for protecting patient data is the group’s to hold; our job was to make holding it realistic.
Where it stands
Staff now see what their role needs and no more, and when a question arises about who looked at a record, there is a clear, reviewable answer rather than a shrug. The exports carry only what they should. The group did not buy a fortress it could not staff; it got controls that fit a clinic and protect the people whose data it holds.